MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b38fe08dc22e00d887b11e07a2fc125229fbfd1e0e79c947fe8f3be697c3bd7f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

njrat

Vendor detections: 15

Intelligence 15 IOCs YARA File information Comments

SHA256 hash:	b38fe08dc22e00d887b11e07a2fc125229fbfd1e0e79c947fe8f3be697c3bd7f
SHA3-384 hash:	c8eff4fd7a78fa01cce70e2b7f4d26587c5ae4ee5a5017caa5051606cf50ace1d8c2a522662159fbeacf31e60f16995e
SHA1 hash:	ef85df5bae5528484b42c9b977b189f9eab5b5de
MD5 hash:	add1705e918c05d1e049c973176cb3d7
humanhash:	ink-delaware-six-edward
File name:	add1705e918c05d1e049c973176cb3d7.exe
Download:	download sample
Signature	njrat Create hunting rule
File size:	274'432 bytes
First seen:	2023-08-17 09:05:18 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
ssdeep	3072:hKGLS39vS1ZzDQJtUE5bqPTxZbrezcLPznw:h5OED8tUIbez
Threatray	229 similar samples on MalwareBazaar
TLSH	T1AD44CF587208E805C7C879389F62CA755322BC7EAC688A7675F83F8F37FD117A500266
TrID	50.8% (.EXE) Win64 Executable (generic) (10523/12/4) 10.0% (.EXE) Win16/32 Executable Delphi generic (2072/23) 9.9% (.ICL) Windows Icons Library (generic) (2059/9) 9.8% (.EXE) OS/2 Executable (generic) (2029/13) 9.6% (.EXE) Generic Win/DOS Executable (2002/3)
File icon (PE):
dhash icon	0000000000000000 (898 x AgentTesla, 540 x Formbook, 316 x RedLineStealer)
Reporter	abuse_ch
Tags:	exe NjRAT RAT

abuse_ch

njrat C2:
114.200.45.42:6522

Intelligence

File Origin

# of uploads :

# of downloads :

344

Origin country :

Vendor Threat Intelligence

Malware family:

njrat

ID:

File name:

add1705e918c05d1e049c973176cb3d7.exe

Verdict:

Malicious activity

Analysis date:

2023-08-17 09:07:42 UTC

Tags:

njrat rat bladabindi

Link:

https://app.any.run/tasks/5005851f-5ce4-4c87-8388-73a2fb129eda

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Njrat

Link:

https://www.capesandbox.com/analysis/443174/

Detection(s):

Win.Trojan.Generic-6335829-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Сreating synchronization primitives

Creating a window

Creating a process with a hidden window

Searching for synchronization primitives

DNS request

Using the Windows Management Instrumentation requests

Sending a custom TCP request

Launching the process to change the firewall settings

Gathering data

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/b38fe08dc22e00d887b11e07a2fc125229fbfd1e0e79c947fe8f3be697c3bd7f

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Generic Malware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/70515606-ee08-451e-97b1-90a216485706

Result

Threat name:

n/a

Detection:

malicious

Classification:

evad

Score:

88 / 100

Link:

https://www.joesandbox.com/analysis/1292661

Signature

.NET source code contains potential unpacker

Antivirus / Scanner detection for submitted sample

Machine Learning detection for sample

Modifies the windows firewall

Multi AV Scanner detection for submitted file

Protects its processes via BreakOnTermination flag

Sets debug register (to hijack the execution of another thread)

Snort IDS alert for network traffic

Uses netsh to modify the Windows network and firewall settings

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/b38fe08dc22e00d887b11e07a2fc125229fbfd1e0e79c947fe8f3be697c3bd7f/

Threat name:

ByteCode-MSIL.Backdoor.Bladabhindi

Status:

Malicious

First seen:

2023-08-14 10:33:39 UTC

File Type:

PE+ (.Net Exe)

Extracted files:

AV detection:

24 of 24 (100.00%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=woh6bdocfyanrb5rdyd2f7askiu7x7i6bz44sr76r456nf6dxv7q._file

Verdict:

malicious

Label(s):

njrat

38b152d95fa2fec41b84833f70030ccce86c2295bcef323c7ee804591f0354ee

njrat

54622fa73246157a2e25e418d554d5ccafc663151ac067819d18f48caad9a32c

njrat

f3239d2f02093fe2bbd7b3b18930c73ecd39cfb6f9d5f63ff922e81ce5ac8c16

njrat

f7b1f59d4c4e68848083a7d5310653e6a77505f01182284df5c2205c9ed32af0

njrat

f8d0609debf08c60070fef13599aa2b10d66f43ddc904a8176d2ef0ffa01a8fe

njrat

fef984d0cfaacd9e1685f796788009e017649a9485e7927a61968007f6e05bcd

njrat

+ 219 additional samples on MalwareBazaar

Result

Malware family:

njrat

Score:

10/10

Tags:

family:njrat evasion trojan

Link:

https://tria.ge/reports/230817-k2q28age72/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Modifies Windows Firewall

njRAT/Bladabindi

Unpacked files

SH256 hash:

b38fe08dc22e00d887b11e07a2fc125229fbfd1e0e79c947fe8f3be697c3bd7f

MD5 hash:

add1705e918c05d1e049c973176cb3d7

SHA1 hash:

ef85df5bae5528484b42c9b977b189f9eab5b5de

Link:

https://www.unpac.me/results/797084c7-ed07-4299-b4c8-8b47f3d3d6f8/

Malware family:

njRAT

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/b38fe08dc22e/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/b38fe08dc22e00d887b11e07a2fc125229fbfd1e0e79c947fe8f3be697c3bd7f

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/443174/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample